Create a Custom RBAC Role

While Azure has many pre-canned roles to suit most requirements, there could be some use cases to define your own custom Role Based Access Control's (RBAC). Read more here. In this example, we will create a custom RBAC to allows users to only start and stop VM's:

In PowerShell or CloudShell, run the following commands:

$role = Get-AzRoleDefinition "Virtual Machine Contributor"

$role.Id = $null

$role.Name = "Virtual Machine Operator"

$role.Description = "Can monitor and restart virtual machines."

$role.Actions.Clear()

$role.Actions.Add("Microsoft.Storage/*/read")

$role.Actions.Add("Microsoft.Network/*/read")

$role.Actions.Add("Microsoft.Compute/*/read")

$role.Actions.Add("Microsoft.Compute/virtualMachines/start/action")

$role.Actions.Add("Microsoft.Compute/virtualMachines/restart/action")

$role.Actions.Add("Microsoft.Authorization/*/read")

$role.Actions.Add("Microsoft.ResourceHealth/availabilityStatuses/read")

$role.Actions.Add("Microsoft.Resources/subscriptions/resourceGroups/read")

$role.Actions.Add("Microsoft.Insights/alertRules/*")

$role.Actions.Add("Microsoft.Support/*")

$role.AssignableScopes.Clear()

$role.AssignableScopes.Add("/subscriptions/aaaaaa-bbbbbb-cccccc-dddddd-eeeeee-ffffff")

New-AzRoleDefinition -Role $role

With the desired Custom RBAC role defined, copy and paste the PowerShell script to create the role. Allow a few minutes for the RBAC role to appear in the Azure Portal. You can view the Custom RBAC role in PowerShell using the command below:

Get-AzRoleDefinition "Virtual Machine Operator" | ConvertTo-Json

To assign the new RBAC to a group, navigate to the Resource > Access Control IAM > Roll Assignments > Add role assignment. Under 'Roles', select the Custom RBAC role created earlier > 'Assign access to' select 'Azure user, group or service principal' > search for a desired group and select [Save]. The user will need to log off/log back onto the Azure Portal for the settings to take affect

To modify an existing RBAC role, define the a additional role option in PowerShell or CloudShell, for example, deallocating VM's:

$roleDef = Get-AzRoleDefinition "Virtual Machine Operator"

$roleDef.Actions.Add("Microsoft.Compute/virtualMachines/deallocate/action")

$roleDef.AssignableScopes.Add("/subscriptions/aaaaaa-bbbbbb-cccccc-dddddd-eeeeee-ffffff")

Set-AzRoleDefinition -Role $roleDef